The True Meaning of Security Assurance Levels
Have you ever wondered what a “substantial” level of cybersecurity means ?
It’s easy to assume that it means the solution has seen an adequate level of security testing, but is that really the case ?
The security assurance levels used in EU legislation are not necessarily that intuitive and can easily be misunderstood.
In 2019, the EU Cyber Security Act entered into force, which created a framework for the establishment of European cybersecurity certification schemes. In February 2024, the first of these EU cybersecurity scheme entered into force, namely the Common Criteria Certification Scheme (EUCC), which will be serving as our example today.
What is Substantial ?
To begin, the proposed assurance levels in the certification scheme map to Common Criteria levels in a straight-forward manner:
When we look closer at what the criteria for vulnerability assessment at Level 1 (AVA_VAN 1) require from a common criteria point of view, we distinguish two main requirements:
AVA_VAN.1.2E The evaluator shall perform a search of public domain sources to identify potential vulnerabilities in the TOE.
AVA_VAN.1.3E The evaluator shall conduct penetration testing, based on the identified potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Basic attack potential.
What is described here, is a vulnerability scan, in which you evaluate the presence of publicly known vulnerabilities. This can either be done in an automated manner, or manually.
Performing this activity can also get you certified as having a “substantial” level of cybersecurity under the new European Cybersecurity Scheme.
This might not seem very intuitive, as a vulnerability scan is seldom the appropriate method to test phyiscal devices, and at best can be considered a minimal kind of assessment.
Therefore this testing would not be indicative of a truly robust solution or substantial level of security on its own.
Returning to the origins
These security assurance levels were introduced in the Cyber Security Act, which distinguishes between basic, substantial, and high level of security.
They are distinguished as follows:
| Security Level | Evaluation Method | |
|---|---|---|
| Basic | Technical documentation review | |
| Substantial | Demonstrate absence of known vulnerabilities | |
| Demonstrate correct implementation of security functionalities described in the technical documentation | ||
| High | Demonstrate absence of known vulnerabilities | |
| Demonstrate correct implementation of state of the art security functionalities described in the technical documentation | ||
| Penetration test of the security functionalities effectiveness |
Source: EU CyberSecurity Act, Article 52
In conclusion
The definition of basic, substantial, and high assurance levels seems not entirely fixed, as the requirement to demonstrate correct implementation of security functionalities has been dropped from the Common Criteria Cybersecurity Scheme.
More importantly, the question remains whether the assurance levels are set at an appropriate and meaningful level to deliver an intuitive and useful understanding for product manufacturers and asset owners. That might not be the case right now, and many will incorrectly interpret these levels.
If you would like assistance in building secure products that can also get certified at a high assurance level, get in touch !